product-microgateway icon indicating copy to clipboard operation
product-microgateway copied to clipboard

Published 20 hours ago verified publisher icon wso2

Choreo Connect 1.0.0 - Need to expose /token, /revoke, /authorize, /apikey and /userinfo

Open Sumudu-Sahan opened this issue 2 years ago • 1 comments

Describe your problem(s)

Currently, the Choreo Connect does not have a /token, /revoke, /authorize, /apikey and /userinfo endpoints to route the request to the key manager similar to the Microgateway 3.2.0

Describe your solution

Need to expose above endpoints through the Choreo Connect

Sumudu-Sahan avatar May 05 '22 12:05 Sumudu-Sahan

We are only exposing the following.

/token, /revoke, /authorize and /userinfo

pubudu538 avatar May 05 '22 13:05 pubudu538

Closing Notes

  1. When retrieving a token from a Key Manager, the recommendation is to directly get the token from API Manager which supports configuring External Key Managers. This link includes the steps to connect a Key Manager (such as Okta, Keycloak) to API Manager. https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-custom-connector/

  2. API Manager 4.0.0 onwards, the Key Manager endpoints are no longer exposed via the API Gateway as additional endpoints. https://apim.docs.wso2.com/en/4.0.0/get-started/about-this-release/#key-changes

  3. A requirement for the above mentioned additional endpoints (/token, /revoke, /authorize and /userinfo) may occur during migration from API Gateway or MGW 3.2.0. Here, the suggested approach is to create an API to expose these endpoints with its own TLS certificates.

    • Yet, there can be case where rerouting for the exising HTTP clients is not feasible (ex: /token -> /token/1.0.0 where /token is the endpoint called by the client and /token/1.0.0 is the endpoint exposed by Choreo Connect). In a such a schenario, the feature "Default Version" API would come in handy. With this feature the API can have a basepath without including the version in the context. https://apim.docs.wso2.com/en/latest/design/api-versioning/backward-compatibility/#default-version
    • Exposing the Key Manager endpoints as an API would allow applying all the capabilities supported by APIs (rate limiting, access control, analytics, updating certificates with ease).
    • If using this approach, might have to pay special attention to the permissions of these APIs to ensure not everyone would be able to access them in both API Publisher and Developer Portal.

  4. Choreo Connect 1.0.0 does not support the above mentioned feature Default Version. It supported 1.1.0 onward. This github issue tracked the implementation of exposing the above endpoints with limited capabilities (Vhost, CORS, backend certs) for 1.0.0 and was released with the update version 1.0.0.6.

@pubudu538 Please comment if anything is missed or must be corrected.

suksw avatar Aug 26 '22 08:08 suksw